- name: check/create instance
  hosts: 209.132.184.142
  user: root
  gather_facts: False

  vars_files: 
   - /srv/web/infra/ansible/vars/global.yml
   - "{{ private }}/vars.yml"

  tasks:
  - include: "{{ tasks }}/persistent_cloud.yml"
  - include: "{{ tasks }}/growroot_cloud.yml"

- name: provision instance
  hosts: 209.132.184.142
  user: root
  gather_facts: True
  
  vars_files: 
   - /srv/web/infra/ansible/vars/global.yml
   - "{{ private }}/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  # Roles are run first, before tasks, regardless of where you place them here.
  roles:
  - fedmsg_base

  tasks:
  - include: "{{ tasks }}/cloud_setup_basic.yml"
  - include: "{{ tasks }}/iptables.yml"

  - name: prepare mount point
    action: file state=directory path=/var/lib/copr/public_html

  - name: mount up disk of copr repo
    action: mount name=/var/lib/copr/public_html src='LABEL=copr-repo' fstype=ext4 state=mounted

  # We cannot use repo pointing to ourselfs :(
  #- name: copy copr.repo
  #  action: copy src=$files/copr/fe/yum/copr.repo dest=/etc/yum.repos.d/copr.repo

  - name: set the hostname
    shell: hostname copr-be.cloud.fedoraproject.org

  - name: copy .forward file
    action: copy src="{{ files }}/copr/forward" dest=/root/.forward owner=root group=root

  # packages needed
  - name: add packages for copr-be
    action: yum state=present name={{ item }}
    with_items:
    - copr-selinux
    - copr-backend
    - git
    - screen
    - fail2ban
    - system-config-firewall-base
    

  - name: make copr dirs
    file: state=directory path={{ item }}
    with_items:
    - /var/lib/copr/jobs
    - /var/lib/copr/public_html/results

  - name: Umask results
    action: command /usr/bin/umask 0000 chdir=/var/lib/copr/public_html/results

  - name: setup dirs there
    action: file state=directory path="/home/copr/{{ item }}" owner=copr group=copr mode=0700
    with_items: 
    - cloud
    - .ssh

  - name: add copr-buildsys keys to copr user path
    action: copy src={{ item }} dest=/home/copr/cloud/ owner=copr group=copr mode=0600
    with_fileglob:
     - "{{ private }}/files/openstack/copr-copr/*"

  - name: setup privkey for copr user
    action: copy src="{{ private }}/files/copr/buildsys.priv" dest=/home/copr/.ssh/id_rsa owner=copr group=copr mode=600

  - name: setup copr user ssh config file
    action: copy src="{{ files }}/copr/ssh_config" dest=/home/copr/.ssh/config  owner=copr group=copr mode=600

  - name: create empty known_hosts
    action: copy src=/dev/null dest=/home/copr/.ssh/known_hosts owner=copr group=copr mode=600

  - name: replace bashrc for copr user
    action: copy src="{{ files }}/copr/copr_bashrc" dest=/home/copr/.bashrc owner=copr group=copr mode=600

  - name: auth_key so we can login to localhost as the copr user from the copr user
    action: authorized_key user=copr key="{{ item }}"
    with_file:
    - "{{ files }}/copr/provision/files/buildsys.pub"

  - name: copy .boto file
    action: copy src="{{ files }}/copr/boto" dest=/home/copr/.boto owner=copr group=copr
 
  # setup webserver
  - name: add config for copr-repo path
    action: copy src="{{ files }}/copr/lighttpd/lighttpd.conf" dest=/etc/lighttpd/lighttpd.conf owner=root group=root mode=0644
    notify: 
    - restart lighttpd

#  - name: copy httpd ssl certificates
#    action: copy src="{{ puppet_private }}/httpd/{{ item }}" dest="/etc/lighttpd/{{ item }}" owner=root group=root mode=0600
#    with_items:
#    - coprs-be.fedoraproject.org.key
#    - coprs-be.fedoraproject.org.crt
#    notify:
#    - concate ssl certs
#    tags:
#    - config 

  # mime default to text/plain and enable dirlisting for indexes
  - name: update lighttpd configs
    action: copy src="{{ files }}/copr/lighttpd/{{ item }}" dest="/etc/lighttpd/conf.d/{{ item }}" owner=root group=root mode=0644
    with_items:
    - dirlisting.conf
    - mime.conf
    notify: 
    - restart lighttpd

  - name: start webserver
    service: state=running enabled=yes name=lighttpd

  - name: start fail2ban
    service: state=running enabled=yes name=fail2ban

  # setup dirs for the ansible execution off of provisioning
  - name: dirs from provision
    action: file state=directory path="/home/copr/provision/{{ item }}" owner=copr group=copr
    with_items:
    - action_plugins
    - library
    - files
    - files/mock
    tags:
    - provision_config

  - name: put ansible.cfg for all this into /etc/ansible/ on the system
    action: copy src="{{ files }}/copr/provision/ansible.cfg" dest=/etc/ansible/ansible.cfg
    tags:
    - provision_config


  - name: put some files into the provision subdir
    action: copy src="{{ files }}/copr/provision/{{ item }}" dest="/home/copr/provision/{{ item }}"
    with_items:
    - inventory
    - builderpb.yml
    - terminatepb.yml
    tags:
    - provision_config

  - name: put files into the files subdir off of provisioning
    action: copy src={{ item }} dest=/home/copr/provision/files/
    with_fileglob:
     - "{{ files }}/copr/provision/files/*"
    tags:
    - provision_config

  # ansible lacks a recurse - so we need this until then
  - name: put files into the files/mock subdir off of provisioning
    action: copy src={{ item }} dest=/home/copr/provision/files/mock
    with_fileglob:
     - "{{ files }}/copr/provision/files/mock/*"
    tags:
    - provision_config

  - name: copy copr-be.conf
    template: src="{{ files }}/copr/copr-be.conf" dest=/etc/copr/copr-be.conf  owner=root group=copr mode=640
    notify:
    - restart copr-backend
    tags:
    - config

  - name: fedmsg certs
    copy: >
      src="{{ private }}/files/fedmsg-certs/keys/copr-copr-be.cloud.fedoraproject.org.crt"
      dest=/etc/pki/fedmsg/
      mode=644
      owner=root
      group=copr

  - name: fedmsg keys
    copy: >
      src="{{ private }}/files/fedmsg-certs/keys/copr-copr-be.cloud.fedoraproject.org.key"
      dest=/etc/pki/fedmsg/
      mode=0640
      owner=root
      group=copr

  # open up ports (22, 80, 443)
  - name: poke holes in the firewall
    action: command lokkit {{ item }}
    with_items:
    - --service=ssh
    - --service=https
    - --service=http

  handlers:
  - include: "{{ handlers }}/restart_services.yml"
  - name: concate ssl certs
    action: command cat /etc/lighttpd/coprs-be.fedoraproject.org.key /etc/lighttpd/coprs-be.fedoraproject.org.crt > /etc/lighttpd/coprs-be.fedoraproject.org.pem
    notify:
    - chmod_key
    - restart lighttpd
  - name: chmod_key
    action: file path=/etc/lighttpd/coprs-be.fedoraproject.org.pem owner=root group=root mode=0600
  - name: restart copr-backend
    service: name=copr-backend state=restarted
  - name: restart lighttpd
    service: name=lighttpd state=restarted
